blob: 87824d4c9ed19dd67177903c6ae69f6961b9480f [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/test_root_certs.h"
#include <Security/Security.h>
#include "base/logging.h"
#include "base/mac/mac_util.h"
#include "base/mac/scoped_cftyperef.h"
#include "net/cert/x509_certificate.h"
namespace net {
namespace {
typedef OSStatus (*SecTrustSetAnchorCertificatesOnlyFuncPtr)(SecTrustRef,
Boolean OurSecCertificateEqual(const void* value1, const void* value2) {
if (CFGetTypeID(value1) != SecCertificateGetTypeID() ||
CFGetTypeID(value2) != SecCertificateGetTypeID())
return CFEqual(value1, value2);
return X509Certificate::IsSameOSCert(
const void* RetainWrapper(CFAllocatorRef unused, const void* value) {
return CFRetain(value);
void ReleaseWrapper(CFAllocatorRef unused, const void* value) {
// CFEqual prior to 10.6 only performed pointer checks on SecCertificateRefs,
// rather than checking if they were the same (logical) certificate, so a
// custom structure is used for the array callbacks.
const CFArrayCallBacks kCertArrayCallbacks = {
0, // version
} // namespace
bool TestRootCerts::Add(X509Certificate* certificate) {
if (CFArrayContainsValue(temporary_roots_,
CFRangeMake(0, CFArrayGetCount(temporary_roots_)),
return true;
CFArrayAppendValue(temporary_roots_, certificate->os_cert_handle());
return true;
void TestRootCerts::Clear() {
bool TestRootCerts::IsEmpty() const {
return CFArrayGetCount(temporary_roots_) == 0;
OSStatus TestRootCerts::FixupSecTrustRef(SecTrustRef trust_ref) const {
if (IsEmpty())
return noErr;
// Despite SecTrustSetAnchorCertificatesOnly existing in OS X 10.6, and
// being documented as available, it is not actually implemented. On 10.7+,
// however, it always works.
if (base::mac::IsOSLionOrLater()) {
OSStatus status = SecTrustSetAnchorCertificates(trust_ref,
if (status)
return status;
return SecTrustSetAnchorCertificatesOnly(trust_ref, !allow_system_trust_);
if (!allow_system_trust_) {
// Avoid any copying if system roots are not to be trusted. This acts as
// an exclusive list on 10.6, replacing the built-ins.
return SecTrustSetAnchorCertificates(trust_ref, temporary_roots_);
// Otherwise, both system trust and temporary_roots_ must be trusted.
// Emulate the functionality of SecTrustSetAnchorCertificatesOnly by
// creating a copy of the system roots and merging with temporary_roots_.
CFArrayRef system_roots = NULL;
OSStatus status = SecTrustCopyAnchorCertificates(&system_roots);
if (status)
return status;
base::ScopedCFTypeRef<CFArrayRef> scoped_system_roots(system_roots);
base::ScopedCFTypeRef<CFMutableArrayRef> scoped_roots(
CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, scoped_system_roots));
CFArrayAppendArray(scoped_roots, temporary_roots_,
CFRangeMake(0, CFArrayGetCount(temporary_roots_)));
return SecTrustSetAnchorCertificates(trust_ref, scoped_roots);
void TestRootCerts::SetAllowSystemTrust(bool allow_system_trust) {
allow_system_trust_ = allow_system_trust;
TestRootCerts::~TestRootCerts() {}
void TestRootCerts::Init() {
temporary_roots_.reset(CFArrayCreateMutable(kCFAllocatorDefault, 0,
allow_system_trust_ = true;
} // namespace net